While it's a worthy sentiment, leaked National Security Agency (NSA) documents show that the U.S. government agency has a different priority: Direct access to all Hotmail and Outlook.com emails, as well as all audio and video communications handled by Skype, which has an estimated 663 million global users.

The leaked information shows the extent to which Microsoft -- and by extension other technology giants, including Google and Facebook -- have worked with the FBI, which serves as a liaison between technology companies and the NSA. One result has been to give the NSA and CIA direct access to their systems, as part of the so-called Prism program, amongst other court-ordered U.S. surveillance efforts.

The documents demonstrate that access to Microsoft's systems by U.S. intelligence agencies isn't superficial. Indeed, an internal NSA memo cited by the Guardian said that Microsoft's switch to a new Outlook.com encryption system in February wouldn't interrupt the agency's free access to encrypted emails or chat sessions. "For Prism collection against Hotmail, Live and Outlook.com, emails will be unaffected because Prism collects this data prior to encryption," it said. A similar system now also appears to be in place for Microsoft's SkyDrive cloud storage service.

According to the referenced documents, Microsoft's work with the NSA to allow it to intercept Skype communications began in November 2010. The company was then ordered on Feb. 4, 2011, in a directive signed by the attorney general, to comply with the program. Two days later, the NSA began collecting Skype communications, although technical challenges appeared to prevent the agency from being able to reliably record video. By July 2012, however, that challenge had been surmounted, and the volume of intercepted video rapidly increased.

In Microsoft's defense: Legally speaking, there's little, if anything, it could have done differently. Furthermore, Microsoft officials are legally prohibited from discussing the contents of Foreign Intelligence Surveillance Court orders, with which they must comply or risk going to jail.

A Microsoft spokeswoman, in an emailed statement, said: "We take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes."

Microsoft also said its participation was contingent on the law enforcement and national security information requests being legally sound as well as targeted. "We only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks, as the volumes documented in our most recent disclosure clearly illustrate." That disclosure refers to Apple, Facebook, Microsoft and Yahoo having detailed the number of requests they've received for customer data from the U.S. government, after requesting and receiving permission to do so from the Department of Justice.

Intelligence officials emphasized that U.S. businesses have a legal responsibility to comply with court-ordered requests to furnish information on their customers and users. "The articles describe court-ordered surveillance -- and a U.S. company's efforts to comply with these legally mandated requirements," said Shawn Turner, the director of public affairs for the Director of National Intelligence, and Judith Emmel, the director of public affairs for the NSA, in a joint emailed statement. "The U.S. operates its programs under a strict oversight regime, with careful monitoring by the courts, Congress and the Director of National Intelligence. Not all countries have equivalent oversight requirements to protect civil liberties and privacy."

"In practice, U.S. companies put energy, focus and commitment into consistently protecting the privacy of their customers around the world, while meeting their obligations under the laws of the U.S. and other countries in which they operate," they said.

But Microsoft's hands remain tied when it comes to the company being able to explain exactly how it must comply with law enforcement and national security information requests. Accordingly, Microsoft and Google, working with a number of privacy and civil liberties groups, Monday filed an amicus brief with the Foreign Intelligence Surveillance Court, seeking to lift the gag order that prevents them from discussing how they furnish data to the NSA. Yahoo, meanwhile, demanded in a Foreign Intelligence Surveillance Court filing that the court publish its legal argument against a key 2008 case in which Yahoo was compelled to participate, saying it would show the technology company "objected strenuously" to the NSA's data-capture demands.

Microsoft's statement also suggested that the company hasn't been able to tell its side of the story. "There are aspects of this debate that we wish we were able to discuss more freely. That's why we've argued for additional transparency that would help everyone understand and debate these important issues," it said.

Microsoft should have resisted the court orders if they indeed consider privacy that important. They may not have won the fight in the end, but it surely would have been become public and Microsoft has pockets deep enough to take on the government. But in the end more profit was to be made by aiding illegal spy programs than stand on moral ground. At least Goggle tells you that anything you give them will be turned into cash.

As the article mentions, I'm not sure anyone at Microsoft could have done anything more to protect user's privacy. It seems to me users should be pushing for transparency of the government's, specifically the NSA's, actions to force Microsoft and other companies to comply. Something tells me the extent to which the government is seeking access to user data is greater than the actual need of the data for security purposes.

At best they could have done what others more recently have done and shut off the service. They couldn't say why, due to the nature of FISA orders, but they could have chosen to state something like "Due to government regulations we may no longer offer you a secure communications platform."

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.